Add option to prefer https/ssl in configure-mirrors

We should offer the option of https in addition to http in our configure-mirrors role as users may want to consume mirrors using https. This has become more viable in recent years with the releases of Debian Buster and Ubuntu Bionic supporting it out of the box. Change-Id: I747c1a379dfce9469e643d7fa199c8e8554f5289
2020-05-19 14:57:14 -07:00 · 2020-05-19 14:57:14 -07:00 · 9471b8c42b
commit 9471b8c42b
parent 6a2aaf7c80
9 changed files with 51 additions and 14 deletions
--- a/roles/configure-mirrors/README.rst
+++ b/roles/configure-mirrors/README.rst
@ -7,6 +7,13 @@ An ansible role to configure services to use mirrors.

   The base host for mirror servers.

+.. zuul:rolevar:: mirror_use_ssl
+   :default: False
+
+   Use ssl to communicate to mirror endpoints. Note if the platform
+   cannot use ssl (for example Ubuntu Xenial apt needs additional packages)
+   this will still use http instead of https when set for that platform.
+
 .. zuul:rolevar:: pypi_fqdn
   :default: {{ mirror_fqdn }}

--- a/roles/configure-mirrors/defaults/main.yaml
+++ b/roles/configure-mirrors/defaults/main.yaml
@ -1,5 +1,12 @@
+set_apt_mirrors_trusted: False
 mirror_fqdn: "{{ zuul_site_mirror_fqdn|default(omit) }}"
 pypi_fqdn: "{{ mirror_fqdn }}"
-pypi_mirror: "http://{{ pypi_fqdn }}/pypi/simple"
-set_apt_mirrors_trusted: False
-wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}"
+mirror_use_ssl: False
+http_or_https: >-
+  {%- if mirror_use_ssl and ansible_distribution_release not in ['xenial', 'stretch'] -%}
+  https
+  {%- else -%}
+  http
+  {%- endif -%}
+pypi_mirror: "{{ http_or_https }}://{{ pypi_fqdn }}/pypi/simple"
+wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}"
--- a/roles/configure-mirrors/vars/CentOS.yaml
+++ b/roles/configure-mirrors/vars/CentOS.yaml
@ -1,2 +1,2 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
-epel_mirror: "http://{{ mirror_fqdn }}/epel"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+epel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/epel"
--- a/roles/configure-mirrors/vars/Debian.yaml
+++ b/roles/configure-mirrors/vars/Debian.yaml
@ -1,2 +1,2 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
-security_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+security_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security"
--- a/roles/configure-mirrors/vars/Fedora.yaml
+++ b/roles/configure-mirrors/vars/Fedora.yaml
@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
--- a/roles/configure-mirrors/vars/Suse.yaml
+++ b/roles/configure-mirrors/vars/Suse.yaml
@ -1,7 +1,7 @@
-package_mirror: "http://{{ mirror_fqdn }}/opensuse"
 wheels_slug: "{%- if ansible_distribution == 'openSUSE Tumbleweed' -%}
                 opensuse-tumbleweed-{{ ansible_architecture | lower }}
              {%- else -%}
                 {{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}
              {%- endif -%}"
-wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/opensuse"
+wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}"
--- a/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
+++ b/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports"
--- a/roles/configure-mirrors/vars/Ubuntu.yaml
+++ b/roles/configure-mirrors/vars/Ubuntu.yaml
@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
--- a/test-playbooks/base-roles/configure-mirrors.yaml
+++ b/test-playbooks/base-roles/configure-mirrors.yaml
@ -1,4 +1,4 @@
- name: Test the configure-mirrors role
+- name: Test the configure-mirrors role with http
  hosts: all
  roles:
    - role: configure-mirrors
@ -9,7 +9,30 @@
      set_fact:
        emacs_package: app-editors/emacs
      when: ansible_distribution == 'Gentoo'
-    - name: Install a package to sanity check the mirror configuration
+    - name: Install a package to sanity check the http mirror configuration
+      package:
+        name: "{{ emacs_package | default('emacs') }}"
+        state: "present"
+      become: yes
+
+- name: Test the configure-mirrors role with https
+  hosts: all
+  roles:
+    - role: configure-mirrors
+      mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      mirror_use_ssl: True
+      set_apt_mirrors_trusted: True
+  post_tasks:
+    - name: Set emacs package fact for gentoo
+      set_fact:
+        emacs_package: app-editors/emacs
+      when: ansible_distribution == 'Gentoo'
+    - name: Remove existing emacs package install
+      package:
+        name: "{{ emacs_package | default('emacs') }}"
+        state: "absent"
+      become: yes
+    - name: Install a package to sanity check the https mirror configuration
      package:
        name: "{{ emacs_package | default('emacs') }}"
        state: "present"